Good riddance to the Java plugin

By Brian Krebs

3 February 2016 - 07:10am

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user's web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called "drive-by" download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

According to Oracle, some 97 per cent of enterprise computers and a whopping 89 per cent of desktop systems in the US run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

Java is installed on roughly 850 million computers worldwide.

"Exploit kits," crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like "Angler," "Blackhole," "Nuclear" and "Rig" — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, I've long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On January 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9.

Advertisement

"By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies," wrote Dalibor Topic, principle product manager for Open Java Development Kit (OpenJDK).

"With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology," Topic continued. "Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release."

I look forward to a world without the Java plugin (and to not having to remind readers about quarterly patch updates) but it will probably be years before various versions of this plugin are mostly removed from end-user systems worldwide. And some businesses still reliant on very old versions of Java will continue to use outdated versions of the program.

But for most users, there is no time like the present to determine whether you have Java installed and decide whether it's time to give it the boot once and for all. Hopefully, this is the last time I will have to include these boilerplate instructions on how to do that:

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the "Do I have Java?" link on the homepage. Oracle's instructions for removing Java from Mac OS X systems are available here.

If you have a specific use or need for Java, make sure you have the latest version. Also, know that there is a way to have this program installed while minimising the chance that crooks will exploit unknown or unpatched flaws in the program: Unplug it from the browser unless and until you're at a site that requires it (or at least take advantage of click-to-play, which can block web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.